Kerberos (krb-wg)
-----------------
Charter
Last Modified: 2011-06-28
Current Status: Active Working Group
Chair(s):
Jeffrey Hutzelman
Larry Zhu
Sam Hartman
Security Area Director(s):
Stephen Farrell
Sean Turner
Security Area Advisor:
Stephen Farrell
Mailing Lists:
General Discussion:ietf-krb-wg@lists.anl.gov
To Subscribe: https://lists.anl.gov/mailman/listinfo/ietf-krb-wg
Archive: https://lists.anl.gov/pipermail/ietf-krb-wg/
Description of Working Group:
Kerberos over the years has been ported to virtually every operating
system. There are at least two open source versions, with numerous
commercial versions based on these and other proprietary implementations.
Kerberos evolution has continued in recent years, with the development
of new crypto and preauthentication frameworks, support for initial
authentication using public keys, improved support for protecting
clients' long-term keys during initial authentication, support for
anonymous and partially-anonymous authentication, and numerous
extensions developed in and out of the IETF.
However, wider deployment and advances in technology bring with them
both new challenges and new opportunities, such as exploring support
for new mechanisms for initial authentication, new cryptographic
technologies, and better integration of Kerberos with other systems
for authentication, authorization, and identity management.
In addition, several key features remain undefined.
The Kerberos Working Group will continue to improve the core Kerberos
specification, develop extensions to address new needs and technologies
related to the areas described above, and produce specifications for
missing functionality.
Specifically, the Working Group will:
* Complete existing work, including:
- DHCP Option (draft-sakane-dhc-dhcpv6-kdc-option-10.txt)
- KDC Data Model (draft-ietf-krb-wg-kdc-model-09.txt)
- One-Time Passwords (draft-ietf-krb-wg-otp-preauth-16.txt)
- IAKERB (draft-ietf-krb-wg-iakerb-02.txt)
- Single-DES Deprecation (draft-lha-des-die-die-die-05.txt)
- IANA registry creation (draft-lha-krb-wg-some-numbers-to-iana)
- Hash agility for GSS-KRB5 (draft-ietf-krb-wg-gss-cb-hash-agility-06.txt)
- Hash agility for PKINIT (draft-ietf-krb-wg-pkinit-alg-agility-05.txt)
- Referrals (draft-ietf-krb-wg-kerberos-referrals-12.txt)
- Set/Change Password (draft-ietf-krb-wg-kerberos-set-passwd-08.txt)
* Prepare and advance one or more standards-track specifications which
update the Kerberos version 5 protocol to support non-ASCII principal
and realm names, salt strings, and passwords, and localized error
reporting. Maximizing backward compatibility is strongly desired.
* Prepare and advance one or more standards-track specifications which
update the Kerberos version 5 protocol in a backward-compatible way
to support extending the unencrypted portion of a Kerberos ticket.
* Prepare, review, and advance standards-track and informational
specifications defining use of new cryptographic algorithms in the
Kerberos protocol, on an ongoing basis.
* Prepare, review, and advance standards-track and informational
specifications defining use of new cryptographic algorithms in
Kerberos using the RFC3961 framework. Cryptographic algorithms
intended for standards track status must be of good quality, have
broad international support, and fill a definite need.
* Prepare, review, and advance standards-track and informational
specifications defining new authorization data types for carrying
supplemental information about the client to which a Kerberos ticket
has been issued and/or restrictions on what the ticket can be used
for. To enhance this ongoing authorization data work, a container
format supporting the use cases of draft-sorce-krbwg-general-pac-01
may be standardized.
* Prepare a standards-track protocol to solve the use cases addressed
by draft-hotz-kx509-01 including new support for digital signatures.
* Prepare and advance one or more standards-track specifications
which define mechanisms for establishing keys and configuration
information used during authentication between Kerberos realms.
* Prepare and advance a standards-track specification defining a
format for the transport of Kerberos credentials within other
protocols.
* Today Kerberos requires a replay cache to be used in AP exchanges in
almost all cases. Replay caches are quite complex to implement
correctly, particularly in clustered systems. High-performance replay
caches are even more difficult to implement. The WG will pursue
extensions to minimize the need for replay caching, optimize replay
caching, and/or elide the need for replay caching.
* Produce an LDAP schema for management of the KDC's database.
Goals and Milestones:
Done First meeting
Done Submit the Kerberos Extensions document to the IESG for
consideration as a Proposed standard.
Done Complete first draft of Pre-auth Framework
Done Complete first draft of Extensions
Done Submit K5-GSS-V2 document to IESG for consideration as a
Proposed Standard
Done Last Call on OCSP for PKINIT
Done Consensus on direction for Change/Set password
Done PKINIT to IESG
Done Enctype Negotiation to IESG
Done Last Call on PKINIT ECC
Done TCP Extensibility to IESG
Done ECC for PKINIT to IESG
Done Naming Constraints to IESG
Done Anonymity to IESG
Done WGLC on preauth framework
Done WGLC on OTP
Done WGLC on data model
Done WGLC on cross-realm issues
Done WGLC on IAKERB
Done Anonymity back to IESG
Done WGLC on STARTTLS
Done WGLC on DHCPv6 Option
Aug 2011 draft-ietf-krb-wg-clear-text-cred to IESG
Aug 2011 draft-ietf-krbwg-camellia-cts to IESG
Aug 2011 draft-ietf-krb-wg-des-die-die-die to IESG
Sep 2011 DHCP option for Kerberos to IESG
Oct 2011 Internationalized error support to IESG
Oct 2011 draft-ietf-krb-wg-pkinit-alg-agility to IESG
Dec 2011 Kerberos PAD authorization data to IESG
Dec 2011 Consider adopting kx509bis in response to use cases in
draft-hotz-kx509-01
Internet-Drafts:
Posted Revised I-D Title
------ ------- --------------------------------------------
Mar 2001 Mar 2011
Kerberos Principal Name Canonicalization and KDC-Generated
Cross-Realm Referrals
Nov 2006 May 2011
Kerberos Version 5 GSS-API Channel Binding Hash Agility
Oct 2007 Apr 2011
OTP Pre-authentication
Dec 2007 May 2011
An information model for Kerberos version 5
Feb 2008 May 2011
Kerberos Options for DHCPv6
Jun 2011 Jul 2011
The Unencrypted Form Of Kerberos 5 KRB-CRED Message
Request For Comments:
RFC Stat Published Title
------- -- ----------- ------------------------------------
RFC3962Standard Feb 2005 AES Encryption for Kerberos 5
RFC3961Standard Feb 2005 Encryption and Checksum Specifications for Kerberos 5
RFC4120Standard Jul 2005 The Kerberos Network Authentication Service (V5)
RFC4121Standard Jul 2005 The Kerberos Version 5 Generic Security Service
Application Program Interface (GSS-API) Mechanism:
Version 2
RFC4537 PS Jun 2006 Kerberos Cryptosystem Negotiation Extension
RFC4557 PS Jun 2006 Online Certificate Status Protocol (OCSP) Support for
Public Key Cryptography for Initial Authentication in
Kerberos (PKINIT)
RFC4556 PS Jun 2006 Public Key Cryptography for Initial Authentication in
Kerberos (PKINIT)
RFC5021 PS Aug 2007 Extended Kerberos Version 5 Key Distribution Center
(KDC) Exchanges Over TCP
RFC5349 I Sep 2008 Elliptic Curve Cryptography (ECC) Support for Public Key
Cryptography for Initial Authentication in Kerberos
(PKINIT)
RFC5868 I May 2010 Problem Statement on the Cross-Realm Operation of
Kerberos
RFC6111 PS Apr 2011 Additional Kerberos Naming Constraints
RFC6112 PS Apr 2011 Anonymity Support for Kerberos
RFC6113 PS Apr 2011 A Generalized Framework for Kerberos Pre-Authentication
RFC6251 I May 2011 Using Kerberos Version 5 over the Transport Layer
Security (TLS) Protocol